Using AI in Tax Workflows? What Heppner Means for Tax Departments
March 02, 2026The Heppner ruling marks an early and consequential development in how courts may evaluate privilege when artificial intelligence tools are incorporated into legal, tax, and business operations.
On February 10, 2026, Judge Jed Rakoff of the US District Court for the Southern District of New York held in an oral decision (United States v. Heppner, No. 25 Cr. 503 (JSR) (S.D.N.Y.)) that a defendant’s communications with a publicly available AI platform were not protected by either the attorney-client privilege or the work product doctrine.
Being one of the first rulings to address privilege claims involving generative AI, it has attracted significant attention. But beyond the novelty, the more pressing question is what the decision means for companies, including their tax departments, that are increasingly incorporating AI into their workflows.
In the tax context, privilege protections are foundational. The attorney-client privilege, the Section 7525 “tax practitioner” privilege, and the work product doctrine each serve to protect materials from disclosure. The Heppner ruling suggests that the use of generally available AI platforms may jeopardize those protections: either because privilege never attaches in the first instance or because uploading materials to an AI platform constitutes a waiver.
As courts begin to confront these issues more frequently, the contours of privilege in the AI context will continue to evolve. Until greater clarity emerges, tax practitioners and taxpayers alike should approach the use of AI tools thoughtfully and carefully evaluate how those tools may affect the protection of sensitive materials.[1]
CASE BACKGROUND
Bradley Heppner, a Dallas-based financial services executive, was charged with securities fraud and wire fraud. After learning that he was the target of a government investigation, and after retaining outside counsel, Heppner himself used a publicly available AI platform to research legal issues related to the investigation.
He was not acting at the express direction of his counsel, but input information he had learned from his attorneys into the AI platform with the “express purpose of talking to counsel” and obtaining his counsel’s “legal advice.” Using these inputs, he ran queries related to the investigation, which generated 31 prompt-and-response documents (the AI Documents). He later transmitted those materials to his defense counsel prior to his arrest to facilitate discussions about their contents.
On the same day as Heppner’s arrest, the Federal Bureau of Investigation seized electronic devices that contained the AI Documents. Defense counsel asserted attorney-client privilege and work product protection over the AI Documents and provided a privilege log to the government.
The government disagreed and on February 6 moved for a ruling that the protections did not apply. At a hearing on February 10, and before the defense filed a formal response, the court held that the AI Documents were not protected by either the attorney-client privilege or the work product doctrine. The court followed up with a written opinion on February 17.
Why Did the Court Hold That the AI Documents Were Not Protected By the Attorney-Client Privilege?
As is black letter law, the attorney-client privilege protects communications (1) between a client and their attorney, (2) that are intended to be, and in fact were, kept confidential, and (3) for the purpose of obtaining or providing legal advice. Applying these familiar elements, the court concluded that “at least two, if not all three,” were lacking:[2]
First, the court held that the communications were not between a client and an attorney. The AI Documents consisted of Heppner’s prompts to and responses from a publicly available AI platform. Because the AI platform is not an attorney, the court reasoned that the communications were not between a client and his lawyer. The fact that Heppner later shared the AI-generated materials with his defense counsel did not “transform” his AI communications into privileged ones.
Second, the court found no reasonable expectation of confidentiality. The court emphasized that the AI platform’s privacy policy informed users that information entered into the platform could be used for training and disclosed to third parties including government agencies. In the court’s view, this disclosure by Heppner undermined any claim that the communications were intended to be, or were in fact, kept confidential.
Third, the court questioned whether the communications were made for the purpose of obtaining legal advice. The court noted that Heppner engaged with the AI platform on his own initiative rather than at the direction of counsel. In doing so, the court appeared to distinguish between seeking advice from a licensed attorney and independently consulting a publicly available AI tool.
In the alternative, the court ruled that, even if some portion of the materials had been privileged initially, any such protection was waived when Heppner disclosed the information to the AI platform.
Why Did the Court Hold That the AI Documents Were Not Protected By the Work Product Doctrine?
Under the work product doctrine, a party generally may not discover documents and tangible things that are prepared in anticipation of litigation or for trial by or for another party or its representative. The court held that the AI Documents were not protected by the work product doctrine because they were created by Heppner alone and not at the direction of his defense counsel.
The work product protection thus did not attach to the AI Documents even though Heppner’s counsel had provided him with the information that he inputted into the AI platform in the first instance, which were arguably created in anticipation of litigation. The sticking point for the court was that the AI Documents were simply not prepared by an attorney or their agents and therefore could not be protected as work product.[3] Notably, it does not appear that the court wrestled with a waiver alternative for the work product doctrine.[4]
IMPLICATIONS FOR TAX DEPARTMENTS
Courts have long required the application of established privilege doctrines to new technologies. Email,[5] text messages,[6] cloud storage,[7] and electronic document management systems[8] all led to early uncertainty before more-settled principles emerged. Generative AI simply presents the next iteration of that challenge. While Heppner is one of the first decisions to address these issues directly, it will not be the last. In the interim, tax departments should assume that privilege risks associated with AI use are real and evolving.
Several practical considerations warrant immediate attention:
Publicly Available AI Platforms May Present Meaningful Waiver Risk
At a minimum, Heppner underscores the risk that uploading privileged material to a publicly available AI platform[9] may constitute a waiver, especially for the attorney-client privilege.
The court’s alternative holding—that even if privilege attached it was waived by disclosure to the AI platform—should alone give tax departments pause. Consider a common scenario: an employee uploads a privileged legal opinion or memorandum (protected by the attorney-client privilege or Section 7525) and asks the AI tool to generate counterarguments or risk assessments. Under Heppner’s reasoning, that disclosure could undermine the confidentiality element required to maintain privilege if uploaded to a publicly available AI platform that may train on and share user inputs.
There is case law to suggest that disclosure to third-party technology providers, such as cloud storage platforms, does not automatically result in waiver where confidentiality is maintained through contractual protections.[10] But publicly available AI tools potentially present a different risk profile, particularly where privacy policies allow for data use, model training, or discretionary disclosure. Under such a scenario, would a taxpayer have a reasonable expectation of privacy to the uploaded materials?
Until courts more clearly define whether AI platforms are analogous to traditional cloud providers or constitute broader third-party disclosure (or until AI platforms tighten their use and disclosure policies for publicly available versions), waiver risk remains unsettled.[11]
Waiver risk using enterprise AI systems (i.e., nonpublic, company-restricted AI tools) may be more limited, particularly where data is segregated, inputs are not used for model training, contractual confidentiality protections are robust, and access is internally controlled.[12] Even so, the issue is still new and even the use of enterprise AI systems is not risk-free at present.
Whether Privilege Attaches in the First Instance Is Less Clear
Assuming a taxpayer can get past the first threshold question by using an AI platform that reasonably protects the privacy of the uploaded materials, the question remains of whether the materials input into an AI system by a nonlawyer can be privileged in the first place. Staying with the example above, a tax memo received from an outside advisor that conveys legal or tax advice is likely privileged when received and protected by the attorney-client privilege or Section 7525 (and perhaps work product as well). Uploading such a privileged memo to a closed AI platform with relevant prompts may very well be protected as to input and output.
But what to make of documents more similar to the materials at issue in Heppner? Consider where a nonlawyer and non-federally authorized tax practitioner (FATP) in a tax department takes call notes from counsel and uses an AI platform to formulate additional questions to raise with counsel so that they can provide future legal advice. Could such materials uploaded to a closed AI platform be privileged (even if neither counsel nor FATP instructed the taxpayer to put together such materials)? Under established case law, the answer could be yes under either the attorney-client privilege or the work product doctrine.
While the Heppner court avoided having to answer this question because it ruled that the inputs and AI Documents failed the confidentiality element, another court could reasonably distinguish Heppner on its facts related to the materials uploaded into the AI platform if the platform provided the party a reasonable expectation of privacy.
For example:
Attorney-Client Privilege. Courts have recognized that privilege may extend to:
- Client notes memorializing communications with counsel, and
- Materials prepared by a client to facilitate discussions with attorneys (especially if actually turned over to counsel or discussed with counsel).[13]
If AI prompts reflect a client’s effort to organize legal advice already received or prepare for discussions with counsel, there is a plausible argument that privilege could attach provided that confidentiality is maintained.[14]
Work Product Doctrine. In contrast to Heppner’s criminal posture, Federal Rule of Civil Procedure 26(b)(3) protects materials prepared “by or for” a party or its representatives in anticipation of litigation. For civil purposes, the rule does not require that an attorney personally prepare the document.[15] Advisory Committee Notes confirm that the doctrine extends at least a qualified protection to materials prepared by nonlawyers.[16]
Accordingly, if a tax department employee prepares materials in anticipation of litigation (as opposed to preparing materials in the ordinary course of business), even without express direction from counsel, work product protection should apply.
For certain tax work, the more difficult question is whether litigation was reasonably anticipated at the time the materials were generated. For planning-stage tax work, that determination is fact-intensive.[17] As such, if there was a reasonable anticipation of litigation, inputting materials into an AI platform should potentially maintain protection, especially given the work product specific waiver rules.[18]
For example, in Warner v. Gilbarco, Inc., the Eastern District of Michigan denied a party’s request seeking production of all documents and information concerning the opposing party’s use of third-party AI tools, including both input and outputs. The court determined that such information was protected by the work product doctrine covering nonlawyer (party) materials prepared in anticipation of litigation. The court likewise held that using an AI platform did not waive work product protection because it requires providing such materials “to an adversary or in a way likely to get in an adversary’s hand.”
Given the variability in how courts apply these principles, best practice may be to have counsel perform particularly sensitive analyses until more firm rules are established for AI platforms.
Practical Guardrails for Tax Departments
Privilege determinations are inherently fact-specific. In light of Heppner, tax departments should consider implementing the following guardrails:
- Avoid uploading privileged opinions, memoranda, or litigation analyses into publicly available AI tools.
- Confirm that any enterprise AI systems are sufficiently private and restricted to demonstrate a reasonable expectation of privacy for materials uploaded or input.
- To the extent possible, have materials prepared at the direction of counsel, be it in-house or outside counsel or FATP (rather than by nonlawyers and non-FATP on their own volition).
- Rely on counsel to conduct AI-assisted legal analyses for the most sensitive materials.
- Likewise, before relying on work product protections, ensure that there is a reasonable anticipation of litigation before generating AI-assisted analyses.
LOOKING AHEAD
As courts begin to address how traditional privilege doctrines apply to generative AI, uncertainty will persist. Heppner represents a cautionary application of established rules to a rapidly developing technology. Because the protections afforded by the attorney-client privilege, Section 7525 privilege, and work product doctrine are all based on a facts-and-circumstances analysis, it is particularly prudent to assess each issue on a case-by-case basis and in light of the court’s rationale in Heppner.
It is important that tax departments, and those that advise them, maintain good AI hygiene, educate themselves on how the use of AI can present both opportunities and challenges, and consider adopting policies that set forth what the team can and cannot do with respect to the use of generative AI. And until such a time that appellate courts or additional trial court decisions provide greater clarity, they should assume that the use of publicly available AI platforms may jeopardize their continuing protection and structure their workflows accordingly.
Contacts
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:
[1] In addition to the privilege considerations highlighted in this LawFlash, the use of generative AI by a lawyer implicates ethical obligations, including maintaining competence, acting with diligence, and maintaining client confidentiality as well as such other challenges as addressing potential biases in training data and algorithmic decision-making and data privacy in predictive analytics. These ethical obligations and other challenges are outside the scope of this article but are also important factors to consider when contemplating the use of generative AI.
[2] United States v. Bradley Heppner, 25 CR 503 (JSR), Bench Memorandum dated February 17, 2026 (Document 27).
[3] Brush, Peter, AI Docs Sent by Exec To Attys Not Privileged, Judge Says, Law360, February 10, 2026. Heppner, at 12.
[4] In the Bench Memorandum’s footnote 3, it appears that the discussion of waiver is limited to the attorney-client privilege.
[5] See, e.g., In re Asia Global Crossing, Ltd., 322 B.R. 247 (S.D.N.Y. 2005) (emails sent from work computer potentially confidential: “the question of privilege comes down to whether the intent to communicate in confidence was objectively reasonable,” based in part on a “company’s e-mail policies regarding use and monitoring, its access to the e-mail system, and the notice provided to the employees”). Indeed, before 1999 there were questions regarding whether unencrypted email could be confidential. See ABA Formal Opinion 99-413.
[6] See, e.g., Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 905 (9th Cir. 2008), rev’d 560 U.S. 746 (finding a reasonable expectation of privacy in text messages stored by a service provider); State v. Clampitt, 364 S.W.3d 605 (Mo. Ct. App. 2012); Sonrai Sys., LLC v. Romano, 2020 WL 7027567 (N.D. Ill. Nov. 30, 2020).
[7] See, e.g., Harleysville Ins. Co. v. Holding Funeral Home, Inc., 2017 WL 4368617, at *7 (W.D. Va. Oct. 2, 2017) (holding that the plaintiff took precautions to safeguard the confidentiality of documents uploaded to a Box account where, despite a lack of password protection on the folder, the documents were only accessible using a unique link and not readily accessible to anyone with internet access).
[8] See Diamond Resorts U.S. Collection Development, LLC v. US Consumer Attorneys, P.A., 2021 WL 4482913 (S.D. Fla. Sept. 14, 2021) (no waiver of the attorney-client privilege by uploading account notes to a customer relationship management (CRM) system where third parties had access to the notes but did not access those files except technology support personnel for troubleshooting purposes).
[9] There are a variety of different AI tools available, including the type utilized by Heppner, which was an open- or external-source AI system. These systems generally send prompts and retrieve information from outside an organization’s controlled environment. From the privilege perspective, this introduces a third party into the communication chain. There are also closed or private AI systems that operate entirely within an organization’s controlled environment. These tools are hosted on a controlled, dedicated infrastructure and limited to curated internal data sources. From a privilege perspective, the use of a private model would strengthen the argument that the use of the AI tool is analogous to other internal research tools, but other considerations—such as who has access, the purpose of the communication, and whether the user is acting at the direction of counsel—would still be applicable.
[10] See, e.g., Harleysville Ins. Co., 2017 WL 4368617, at *7. See, e.g., State Bar of Arizona, Opinion No. 05-04; State Bar California Standing Committee on Professional Responsibility and Conduct, Formal Opinion No. 2012-184.
[11] Given the uncertainty in this area, it is possible that Congress may weigh in to provide protection if certain “expectation of privacy” conditions are met.
[12] As recent New York City Bar Formal Opinion 2025-6 noted regarding the impact of AI’s use on confidentiality: “Attorneys also should consider what privacy and security safeguards are in place in an AI tool to protect the data, including where data will be stored and for how long, how data might be retrievable through discovery, whether the tool uses such data for training, and whether there is a right to data deletion.” See also American Bar Association, Formal Opinion 512 (“Because [generative AI] tools now available differ in their ability to ensure that information relating to the representation is protected from impermissible disclosure and access, this risk analysis will be fact-driven and depend on the client, the matter, the task, and the GAI tool used to perform it.”).
[13] See, e.g., United States v. DeFonte, 441 F.3d 92 (2006); Attorney-Client Privilege: Specific Communications (Federal). This protection also relates to communications among corporate employees that reflect advice rendered by counsel to the corporation. However, materials prepared at the direction of counsel to facilitate legal discussions may provide greater protection under the attorney-client privilege. See, e.g., Bernbach v. Timex Corp., 174 F.R.D. 9 (D. Conn. 1997) (holding that the communication of client notes made for the purpose of informing counsel about relevant events and conditions taken in anticipation of meeting with an attorney were protected by attorney-client privilege); United States ex rel. Locey v. Drew Med., Inc., 2009 WL 88481 at *2–3 (M.D. Fla. Jan. 12, 2009) (holding that a chronology prepared by a relator with the intent to provide it to counsel was protected by attorney-client privilege because it was prepared at the direction of counsel); Correia v. Marine Travelift, Inc., 2025 WL 1757814 (D.R.I. June 23, 2025) (holding that a client’s notes created at counsel’s direction to assist the counsel in providing legal advice to the client is protected by attorney-client privilege even if the client does not immediately send the notes to counsel).
[14] A remaining unanswered question is whether the output from an AI platform can also be protected by the attorney-client privilege. Does it need to be considered prepared by the party or one of its representatives? Can an attorney be able to say that they are using the AI platform merely as an “assistant” in furtherance of providing legal advice to the client (e.g., like a paralegal within their firm), or is that unnecessary if the input contained privileged material?
[15] Shih v. Petal Card, Inc., 565 F. Supp. 3d 557 (S.D.N.Y. 2021); Hayden v. Acadian Gas Pipeline System, 173 F.R.D. 429 (E.D. La. 1997).
[16] Spaulding v. Denton, 68 F.R.D. 342 (D. Del. 1975) (explaining change to FRCP 26: “any distinction between attorney ‘work product’ and non-attorney ‘work product’ was abolished”).
[17] See, e.g., United States v. Chevron Texaco Corp., 241 F. Supp. 2d 1065 (N.D. Cal. 2002) (finding a reasonable anticipation of litigation when “from the first day Chevron contemplated a transaction of this type it was a virtual certainty that the IRS would challenge the transaction in litigation”).
[18] Warner v. Gilbarco, Inc., 24-cv-12333 (Feb. 10, 2026 Order). Attorney-client privilege may be waived when disclosing those privileged materials to a third party, but work product protection is not subject to that same general rule. Disclosing work product to a third party only waives the protection if disclosed directly to an adversary or the disclosure increases the likelihood that an adversary can access the materials.